I'm working with Authentication in Azure App Service, AKA "Easy Authentication"
https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-overview
It works fine if I browse my azure web-site using it's Azure name: [myid].azurewebsites.net
But if place my web-site behind a reverse proxy, after authentication, I'm always redirected to [myid].azurewebsites.net instead of www.[mydomain].com. The reverse proxy is correctly configured to serve my pages and all work fine without authentication.
I think that the root cause is how the redirect_uri parameter is built by "Easy Authentication". Using Chrome F12 I noticed that during the initial redirect to authentication service, the browser url is built using [myid].azurewebsites.net instead of www.[mydomain].com.
https://login.windows.net/034...51/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmyid.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&......
I can't find a way to instruct/force "Easy Authentication" to use www.[mydomain].com
Any suggestions or idea?
--- update ---
I use Nginx as reverse-proxy. The relevant fragment of the configuration file (redacted):
server {
server_name www.mydomain.com;
listen 80;
listen 443 ssl;
...
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-Host $host;
proxy_pass https://myid.azurewebsites.net/;
}
}
We need to include an extra parameter to instruct where the process should redirect to after successful authentication. We can do this with the 'post_login_redirect_uri' parameter. Without this, the process will redirect to a default 'Authentication Successful' page with a link to go back to the site.
For more details, refer to this document: https://weblogs.asp.net/pglavich/easy-auth-app-service-authentication-using-multiple-providers.
According to your description, I used URL Rewrite and Azure Functions Proxies as my reverse-proxy to test this issue, I found that I could encounter the same issue as you mentioned. I also tried to compare Headers、ServerVariables between accessing via reverse-proxy and directly accessing, and tried to override the related headers to narrow this issue, but failed in the end. I assumed that since we are using the build-in App Service Authentication / Authorization, we could not override the generating for the redirect_uri parameter.
Per my understanding, you could set the additional header(s) under your reverse-proxy, then build the authentication / Authorization in your application to pick up the additional header for generating the redirect_uri and redirect user to the related authorize endpoint. Or you could use Traffic Manager for Load Balancer, and you could follow this issue. Additionally, if you just want to customize your azure web app domain, you could follow here.
Related
Is it possible to set X-Forwarded-Proto header to https (I belive by default it's http). I have an application behind AFD that is configured with SAML that requires such header in order to properly direct call back.
I was going to use rules engine configuration to configure response header, but it's not allowed (see the picture).
Any suggestions? Much appreciated.
I'm currently running a windows azure web app behind an application gateway v2.
I would like to use header information for x-forwarded-host or x-original-host - but it does not work.
Now I'd like to trace what request headers are actually received by the web app. I'm trying network-capturing. But as the whole traffic is HTTPs - I guess I'm not seeing all the fields.
Any Idea?
You can configure application gateway to modify request and response headers and URL by using Rewrite HTTP headers and URL or to modify the URI path by using a path-override setting. However, unless configured to do so, all incoming requests are proxied to the backend.
For more details, you can read the offical document.
I have a problem configuring my Open Auth ID .net Core 2 application as an App Service behind a Web Application Firewall using a Path based routing.
My application is myapp.azurewebsites.net with a network restriction making it inaccessible from the public internet. I have deployed a WAF in the same VNET and allowed traffic between the WAF and App Service using a Path based route "/Admin*".
The effect is that https://myapp.azurewebsites.net is not internet accessible but https://myWAF/Admin is accessible and maps to the app service.
This setup works fine, but when I introduce Open ID auth to my .net core application the outgoing Location header includes its myapp.azurewebsites.net/signin-oidc as the reply URI.
This doesn't work because the host is not accessible from the internet. I have attempted several approaches;
I have added the WAF URL (https://myWAF/Admin/signin-oidc) in the application registration URL in Azure App Registrations to allow AAD to accept the modified URL (as legitimate
I have coded app.UseForwardedHeaders (forcing reuse of all X-Forwarded headers) in my startup.cs. This doesn't seem to have any affect on the Location header being sent by my App Service.I presume the WAF is sending X-Forwarded headers, but if it is, the Open Auth ID stack isn't using them.
I have coded a header rewrite in the WAF to replace the myapp.azurewebsites.net with the WAF URL. This does replace the URL correctly and allows the callback, but then fails with a Correllation Error (which seems to be a generic Open ID stack error meaning "the nonce does not match". Its possible that the nonce is predicated on the URL being called back to - which in my case changes due to the WAF redirection, but that's a guess).
It seems to me like I should be able to use the X-Forwarded headers in my app to get around the need to code up header re-writes in the WAF, but I can't find an example where this is used successfully to alter the Reply URI being sent out by Open ID.
My question it; is using the X-Forwarded header the correct approach to handling proxies in an OAuth context, or is header-rewriting in the WAF the correct approach ?
I have set
After much investigation I found the following;
WAF does not send the standard X-Forwarded-Host to App Services but sends X-Original-Host instead. Documented here https://feedback.azure.com/forums/217313-networking/suggestions/33657763-add-the-x-forwarded-host-header-to-application-gat
The ForwardedHeaderOptions that ASP.net Core 2 uses in its ForwardedHeaders middleware have an option to replace the expected and supported "X-Forwarded-Host" with an arbitrary other host header name. This behaviour can be triggered as follows to replace the use of the x-Forwarded-Host with the WAF specific X-Original-Host.
options.ForwardedHostHeaderName = "X-ORIGINAL-HOST";
WAF does not pass the Path of the Path Based Route down the Http Header stack as expected in the PathBase header. This must be added to the Request Headers either in the WAF via a Header Rewrite, or inside the app as follows (in this case the apps Path Route is /Admin);
app.Use((context, next) =>
{
context.Request.PathBase = new PathString("/Admin");
return next();
});
I choose to host my website in Azure.So I've created a App Service.Then Created a new domain for my App then created/bind the SSL certificate to my corresponding website.
After done with the SSL certificate .I'm still seeing my website url as http//: and not https://
Also i'm not seeing the Green URL for my Website ..!
It look like this
(P.s : My App Service Tier is AzureFreeTier (Basic: 1 Small)
My SSL Type is SNL SSL)
Please help to resolve my problem here
Thanks in Advance,
Jayendran
You need to do a redirect from HTTP to HTTPS. Installing a certificate just makes using HTTPS with your custom domain name possible.
You can either:
Configure your app to redirect to HTTPS when it receives a request over HTTP + enable HTTP Strict Transport Security
Or use an extension in Web Apps to do the first thing:
To install the extension, open your web app blade in Azure Portal. Go to Extensions, then click Add. Then you should find Redirect HTTP to HTTPS from the list and install it.
That will redirect any HTTP calls to HTTPS for you. I would still recommend adding Strict-Transport-Security headers to your responses to make sure your clients do not access your site insecurely the next time.
The reason you arrive to your site on HTTPS after AAD login is because the HTTPS version of your app's URL has been configured in AAD as the reply URL.
And this:
Your Connection to this site is not fully secure Attackers might be able to see the images
is a mixed content warning. It means you are loading content (e.g. images) using an HTTP URL in your pages. Change them to HTTPS and you will solve that problem.
I am currently using the IIS URL Rewrite Module and Application Request Routing on a server in the DMZ to forward requests to a web application running on an internal server.
The application which is deployed on the internal server has SSO which includes Azure AD using OWIN pipeline and openIdConnect.
When a user selects the authenticate using AzureAD option instead of being redirected to the https://login.microsoftonline.com/<tenantname>/...
they are redirect to http://my.company.com/<tenantname>/... where http://my.company.com is the URL used to access the application from the DMZ.
The SSO works for all internal instances i.e. where request are not being forwarded in a reverse proxy scenario.
Why is this happening when using URL Rewrite and ARR?
Unchecking the Reverse rewrite host in response headers checkbox under Application Request Routing Cache > Server Proxy Settings solved this issue.
Reverse rewrite host in response headers (checked)
ARR will rewrite the host name in the location header of a 301
response to the original host.
URL Rewrite keeps original host Location
IIS Url Rewrite ARR issue